[RANGER-2932] [Ozone Ranger Plugin] Security Zones are not getting enforced during Authorization - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Not A Bug
Affects Version/s: 2.1.0
Fix Version/s: None
Component/s: plugins
Labels:
- ranger

Description

Observed that Security Zones for Ozone Plugin are not getting enforced, and Ranger is relying on Non-Zone Policies for deciding the Access.

Steps:

Created a security zone finance-zone-20200728123343
There is no policy granting access to volume-finance in service finance-20200728123343 which is attached to the security zone created in the 1st step.
Create ozone volume volume-finance as a hrt_21 test user. [hrt_21 is part of both users and finance groups]

Expected Result: Volume creation should be denied as there is no policy granting access in Zone attached service.

Actual Result: Volume creation is successful using a Non-Zone policy present [which provides access to hrt_21 test user]

Similar results are observed with multi-level resources [volume-bucket-key] in the zone, where the zone policy is not honored instead it relies on the Non-zone policy for deciding the access.

Any inputs on how to debug this further?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Finance Security Zone.png
29/Jul/20 16:07
403 kB
Abhishek Shukla

Activity

People

Assignee:: Unassigned

Reporter:: Abhishek Shukla

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29/Jul/20 08:13

Updated:: 27/Apr/21 08:46

Resolved:: 30/Jul/20 08:19